EP calls for a clear legal framework for the Internet of Things

By EDRi · June 30, 2010

This article is also available in:
Deutsch: [Europa-Parlament für klaren gesetzlichen Rahmen für das Internet der Dinge | http://www.unwatched.org/node/2034]

In a resolution on the Internet of Things, adopted on 15 June 2010, the
European Parliament (EP) welcomes the communication of the Commission on
the topic and in principle endorses the broad outlines of the action plan to
promote the Internet of Things.

The Parliament however takes the view that the development of new
applications and the actual functioning and business potential of the
Internet of Things will be intrinsically linked to the trust European
consumers have in the system, and points out that trust exists when doubts
about potential threats to privacy and health are clarified. It stresses
that this trust must be based on a clear legal framework, including rules
governing the control, collection, processing and use of the data collected
and transmitted by the Internet of Things and the types of consent needed
from consumers.

The Parliament further notes that the Internet of Things will lead to the
collection of truly massive amounts of data and calls on the Commission, in
this connection, to submit a proposal for the adaptation of the European
Data Protection Directive with a view to address the data collected and
transmitted by the Internet of Things.

In the view of the Parliament, respect for privacy and the protection of
personal data together with openness and interoperability are the only ways
the Internet of Things will gain wider social acceptance. The EP firmly
believes that all users should have control over their personal data and
stresses that a precondition for promoting technology is the introduction of
legal provisions to reinforce respect for the fundamental values and for the
protection of personal data and privacy.

In the context of privacy by design, the European Parliament also notes the
opinion of the European Data Protection Supervisor (EDPS) on this topic, who
stressed the importance of Privacy by Design as the guiding
principle and highlighted that in the context of RFID, the existing data
protection rules need to be complemented with additional rules imposing
specific safeguards, particularly making it mandatory to embed technical
solutions (Privacy by Design) in RFID technology. He furthermore expressed
his concern that RFID operators in the retail sector may overlook the
possibility for RFID tags to be monitored by unwanted third parties and
thinks it is conceivable that self-regulation will not deliver the expected
results. He therefore called upon the Commission to be ready to propose
legislative instruments regulating the main issues of RFID usage in case the
effective implementation of the existing legal framework fails.

This call for a regulation of the main issues of RFID usage now obviously
gained support from the European Parliament which, in addition, underlines
that RFID applications must be operated in accordance with the rules on
privacy and data protection enshrined in Articles 7 and 8 of the Charter of
Fundamental Rights of the European Union.

The resolution of the Parliament not only addresses the European Commission
but also calls on manufacturers to secure the right to “chip silence” and
calls for RFID application operators to take all reasonable steps to ensure
that data does not relate to an identified or identifiable natural person
unless such data is processed in compliance with the applicable principles
and legal rules on data protection.

It is the believe of the Parliament that a general principle should be
adopted whereby Internet of Things technologies should be designed to
collect and use only the absolute minimum amount of data needed to perform
their function, and should prevent from collecting any supplementary data.
It calls for a significant amount of the data shared by the Internet of
Things to be made anonymous before being transmitted, in order to secure

The European Parliament believes in the importance of ensuring that all
fundamental rights – not only privacy – are protected in the process of
developing the Internet of Things and calls on the Commission to monitor
closely the implementation of the European regulations already adopted in
this area and to present, by the end of the year, a timetable for the
guidelines it intends to propose at the EU level for improving the safety of
the Internet of Things and of RFID applications.

As EDRi-gram reported earlier this year the resolution was drafted by MEP
Maria Badia i Cutchet, rapporteur to the European Parliament’s Committee on
Industry, Research and Energy (ITRE) including opinions of the Committees on
International Trade, Internal Market and Consumer Protection and Legal

The EP Resolution has to be seen not only in the context of the European
Commission’s communication on the Internet of Things and the EDPS opinion on
Privacy by Design, but also of the European Commission’s RFID recommendation
and the Industry proposal for an RFID Privacy Impact Assessment, which
unfortunately fails to identify a single specific risk.

In this context, the resolution of the European Parliament can be seen as
another strong signal towards the European Commission to act without undue
delay to effectively protect the fundamental rights of individuals affected
by RFID and other technologies related to the Internet of Things and towards
manufacturers and RFID application operators to take their obligations
serious and effectively secure privacy and data protection rights of all
persons affected by their products and applications.

European Parliament resolution of 15 June 2010 on the Internet of Things
(2009/2224(INI)) (15.06.2010)

Communication to the European Parliament, the Council, the EESC and the
committee of the Regions: Internet of Things – An action plan for Europe

EDRi-gram: EP, EDPS and EDRi on RFID and the Internet of Things (24.03.2010)

EDRi-gram: Industry proposed RFID Privacy Impact Assessment Framework

Commission Recommendation on the implementation of privacy and data
protection principles in applications supported by radio-frequency
identification (12.05.2009)

(Contribution by Andreas Krisch – EDRi)